API Manager Guide > Authentication and authorization > JSON web token authentication
  

JSON web token authentication

You can enable JSON Web Token (JWT) authentication for a managed Informatica Cloud Application Integration API that meets all of the following criteria:
JWT is an open standard that helps in the secure transmission of information between API consumers and REST web services such as Informatica Cloud Application Integration service APIs.
When you configure JWT authentication, you can generate a token using API Manager or API Portal and use the generated token to invoke the API. API consumers invoke the API by passing the token as a bearer token in the HTTP Authorization header.
An API token identifies an API by its name and version. If you delete an API and then create an API with the same name, you can continue to use the same token to invoke the API.
You can create groups of managed APIs and then generate a token for the group to use when invoking any JWT authenticated API in the group. You can add or remove APIs from the group.
A group token identifies an API group by its group ID. If you delete a group and then create a group with the same name, you can't continue to use the same group token to invoke APIs in the group. You must create a new token for the group.
If an API that has a token is part of a group that has a group token, you can use either token to invoke the API.
JWT tokens that you create for a managed API apply to the API version for which they are created. When you create a new version of an API where JWT authentication is enabled, generate JWT tokens for it.

JSON Web Token Authentication Tasks

After you publish an Informatica Cloud Application Integration process, Informatica Cloud Application Integration automatically exposes the service API to API Manager. You can then create a managed API for the Informatica Cloud Application Integration service API and make it available in API Portal.
Based on the role and privileges you are assigned, you can use API Manager or API Portal to perform JWT authentication tasks.

JWT Authentication Tasks in API Manager

Use API Manager to perform the following tasks for JWT authentication:
  1. 1Configure JWT authentication for the managed API.
  2. 2Generate a token and set an expiration date for the token. You can generate tokens for up to 15 APIs simultaneously. Optionally, you can make the managed API available in API Portal so that API Portal users can discover available APIs and view their authentication method.
  3. 3Invoke the managed API by using the generated token.

JWT Authentication Tasks in API Portal

Use API Portal to perform the following tasks for JWT authentication:
  1. 1View a list of managed APIs available in API Portal and view their authentication method.
  2. 2Generate a token and set an expiration date for the token. You can generate tokens for up to 15 APIs simultaneously.
  3. 3Invoke the managed API by using the generated token.
For more information about the JWT authentication tasks you can perform in API Portal, see the API Portal help.

JSON Web Token Expiration

API Manager uses the Coordinated Universal Time (UTC) time zone for the JWT token expiration and uses the current time on your computer as the baseline time for the token expiration. The token expires on the expiration date you configure and a minute earlier than the time at which you generated the token.
For example, if you generate the token on January 10 at 2:30 p.m. and set the expiration date as January 11, the token expires on January 11 at 2:29 p.m. If you set the expiration date as January 15, the token expires on January 15 at 2:29 p.m. The maximum expiration date for a token is 180 days from the current date.
After a token expires, you cannot refresh it. You must generate a new token.

Prerequisites

Before you configure JWT authentication in API Manager, you must perform the following prerequisite tasks in Informatica Cloud Application Integration:
  1. 1Create a process and enable HTTP/SOAP binding for the process.
  2. 2Configure basic authentication for the process by defining the user groups and users who can access the process service URL at run time.
    3. Note: You can configure JSON web token authentication for a managed API only if the associated process uses basic authentication in Informatica Cloud Application Integration. You cannot configure JWT authentication if the associated process allows anonymous access.
  3. 3Publish the process to expose it as a service.

Configuring JSON Web Token authentication

After you create a managed API for a service that you published in Informatica Cloud Application Integration, you can configure JWT authentication, generate a token, and set an expiration date for the token. Optionally, you can make the managed API available in API Portal so that API Portal users can discover it in API Portal and invoke it.
    1On the API Registry page, click the managed API for which you want to configure JWT authentication.
    2On the General tab, from the Authentication Method list, select JWT - JSON Web Token.
    The Generate JWT Access Token area appears on the page.
    3Select an expiration date for the token and click Generate.
    API Manager creates a token for the managed API. The token appears on the page.
    Note: After you generate a token for the first time, the Generate New Token button appears. You can click this button to generate a new token if your earlier token has expired. After you generate a token, you cannot revoke the token.
    4Click Copy Token to copy the token and send the token to API consumers.

Generating JSON web tokens for multiple managed APIs simultaneously

You can generate tokens simultaneously for up to 15 managed APIs that are configured to use JSON Web Token authentication.
    1On the API Registry page, select the managed APIs to generate tokens for.
    2Click the down arrow above the list of APIs and select Generate Token as shown in the following image:
    The image shows the option to select multiple APIs and generate tokens simultaneously.
    The Generate JWT Access Token dialog box appears.
    3Select an expiration date for the token.
    4Click Generate to generate a token.
    API Manager creates a token for the selected APIs as shown in the following image:
    The image shows a generated token.
    Note: After you generate a token for the first time, the Generate New Token button appears. You can click this button to generate a new token if your earlier token has expired. After you generate a token, you cannot revoke the token.
    5Click Copy Token to copy the token.
You can then invoke the API based on the authentication method it uses.

How API consumers invoke an API with JSON Web Token authentication

To invoke a managed API where JWT authentication is enabled, API consumers pass the token as a bearer token in the HTTP Authorization header.
The following image shows an API invoked through Postman with a Bearer Token authorization type and the token that the API consumer entered: